


Midde Earth Ops: Rubberhose Cryptanalysis

by WAR10CKcrimsondemon



Category: The Lord of the Rings - All Media Types
Genre: Computers, Cryptanalysis, Cryptography, Hacking, Other, Security, deniability, file system, rubberhose
Language: English
Status: Completed
Published: 2014-11-14
Updated: 2015-04-05
Packaged: 2018-02-25 09:42:31
Rating: General Audiences
Warnings: No Archive Warnings Apply
Chapters: 2
Words: 4,242
Publisher: archiveofourown.org
Story URL: https://archiveofourown.org/works/2617277
Author URL: https://archiveofourown.org/users/WAR10CKcrimsondemon/pseuds/WAR10CKcrimsondemon
Summary: <blockquote class="userstuff">
              <p>This wall of text is making fun of all the torture fics of Legolas I keep seeing floating around the internet. Basically this consists of a random storyline, an IRC chat log, and a personal log regarding a special encryption system that can keep its secrets safe even if the user is tortured for the encryption keys.</p>
<p>I might add more to this later depending on what comes to mind. But I don't really know. I don't think I am really being serious about this one.</p>
            </blockquote>





	1. Chapter 1

The Technomancer Warrior Darken Rahl has installed the finished Marutukku File System on a computer. The Telecomix Middle Earth Crypto Munitions Bureau wants to know how effective it will be in the field and asked on their ciphercat operations wiki that a field test be carried out. So Darken Rahl sent the elf prince Legolas out to test the system. He has provided him with a laptop with Marutukku installed on it and encrypted a cache of low level intelligence on it along with Legolas' personal non essential files. He is expecting the test to work perfectly.

This Cryptographically Deniable File System is designed to be resistant to Rubberhose Cryptanalysis, another word for having the keys scraped from their very mouths and other appendages through torture. It is designed so that talking is useless because it would not be possible to tell if you talked or not. All of the classified information at the SECRET all the way up to TOP SECRET SCI is protected by Marutukku. All technomancer operatives must use this to store classified information on personal computers.

In short the entire disk is filled with quantum random data and then the actual data is encrypted and fragmented in their own aspect which is spread evenly across the disk. The Polymorphic Engine is designed to mutate and scramble the fragmented aspects over a random time variant to make surface analysis attacks impossible. Further security measures ensure that the data is not compromised.

So in theory it should not be possible for the orcs nor Legolas himself to determine if he has revealed all of the keys to the disk because of the fact that the scrambled blocks of encrypted data are hidden among random computer garbage. So it should matter not what form of torture that he is subjected to, the intelligence should remain secure and as he continues to reveal keys to non essential files the claim that there are no more keys becomes more valid. 

The way the system is also set up is designed to reveal nothing about the disk itself. Each aspect has no information about the others except where to avoid overriding other aspects. The mapping of each aspect is self contained inside itself. However Darken Rahl added an extra layer of security around the Master Key. A security virus that is designed to completely shred the entire disk and file system when the key itself is used to decrypt the disk by a user or attacker.

Weather it be leather whips, daggers, swords, brands, or the rack extraction of information should not be possible.   
__________________________________________________________________  
``  
Login: #StopWatchingUs!  
Password: EdwardSn0wdenFTW!11elevendyone  
ACCESS GRANTED! Sektor 7 Remote Access Client.  
Anonymous Middle Earth >> SECURE CONNECTION: STABLE.  
Telecomix Middle Earth >> SECURE CONNECTION: STABLE.  
Par:AnoIA Middle Earth >> SECURE CONNECTION: STABLE.  
Guild of Biomancers ME >> SECURE CONNECTION: STABLE.  
Guild of Technomancers ME >> SECURE CONNECTION: STABLE.

`Telecomix Cipherspace Commline Active: I2P Secure Connection >> Stable.`  
IRC_SECURE_CHANNEL >> CYPHER SECURED  
WELCOME TO THE FRACTAL CIPHERSPACE!  
#CipherCat 

`WAR10CK > Alright I have the Marutukku field test underway.`  
ELFhash > How is this going to work?  
WAR10CK > I sent Legolas to Rivendell to deliver a cache of intelligence to our technomancer asset there. He was given a laptop that he has had for a while now and I helped him install the file system onto it. The intelligence cache has been placed in its own aspect and encrypted.  
SabuSaber > Surely there are some other files on the computer that can be used as decoys right? The whole idea of Marutukku is that the classified data can remain safely hidden under duress.  
WAR10CK > He has all of his non essential personal files in another aspect along with general computer work files in yet another aspect. Finally he has is entertainment and gaming files in a forth aspect. So he should not have to worry about risking the classified aspect.  
ELFhash > Exactly how is he going to test the cryptographic deniability of the system?  
CipherCat > Yeah cuz I highly doubt that there are alot of places or people that will use rubberhose attacks to test systems.  
WAR10CK > Oh none of us or anyone we know are going to run the test. The orcs that capture him are going to do that part.  
SwordMastr > Captured?  
WAR10CK > Yes. You see neither he nor anyone who has connections to him know that this is actually a field test. They just think his going to deliver some information to some allies in Rivendell.   
SabuSaber > And...  
WAR10CK > I accidentally let it slip that Legolas might be delivering some valuable information regarding the orc's master but that I am not sure about it. They should intercept him and drag them down to the black pits black site and have him interrogated. But because of how the FS works those orcs should not be able to prove that there is even encrypted data on this disk.  
Konec > They do have some resident technomancers that will analyze the disk for encrypted data. Most likely they will be able to tell that the system is using the program.  
WAR10CK > What? Those dumb orcs? They lack even the most basic cryptography skills and their technomancers are stupid! There is no way that they can tell anything.  
MirkMoar > You realize that he could die from the torture. That would certainly invoke someone's wrath.  
WAR10CK > Don't worry. I am confident that he will make it through the ordeal alive. Besides he is bound to be rescued sooner or later after capture usually days afterwards.  
CryptoLocker > Why Legolas?  
WAR10CK > Because he has been through much more torture than I have. Believe me I know. Not to mention I am too well known to them to conduct an actual field test with me as the test subject.  
Konec > Oh ok.  
MirkMoar > You realize this is wrong on so many levels! You are sending an unsuspecting young elf and a noble at that to be tortured half to death in the most depraved and terrible conditions for something that he will never understand.  
WAR10CK > Yes I admit that I am but it is necessary for the war against Sauran and his evil plans. Once he can prove that this system works then we can have it approved for field use.  
ELFhash > But still surely there is another way besides this right? I mean think about it. How would you like to be essentially handed over to people who will torture you in the most unspeakable of ways without really knowing the true reason for your suffering and possible death?  
WAR10CK > I am not going to answer that. Look your derailing tactics are not going to work on me or anyone else here.  
>ELFhash was kicked from #CipherCat by SabuSaber for the following reason: DERAILING ATTEMPT.  
CipherCat > I agree this is not the time to be discussing morality!  
ELFhash > I am just saying that you are being very dishonest and rather cruel too.  
WAR10CK > Too bad. Life is cruel on Middle Earth. DEAL WITH IT! Besides it is not like I expect him to die with his secrets. He is going to be rescued or escape like usual when he gets captured. It is just that there is a chance that he might not survive. There is a big difference between there being a chance of death and actually dying.   
WAR10CK > Also before you say it, yes he might not make it back in one piece and there might be severe and crippling injuries and mutilation. But both the Biomancers and Technomancers have perfected an advanced regeneration technology that is far beyond the capabilities of your healers. If he is maimed in anyway we can repair him.  
__________________________________________________________________ 

`TECHNOMANCER ENCRYPTED DATA DECODED >> KHAZAD-128 CBC`

`Darken Rahl Personal Log No. 12.915.1`

`So I sent Legolas over to Rivendell to deliver some intelligence on a laptop that is encrypted with the Rubberhose Proof File System Marutukku. I sent him there because according to the satellite grid there is a contingent of orcs that work for someone in the Mordor Sector. He knows all the keys to the information in the laptop because it is his computer. `

`Why am I not warning him of the orcs? Because I want him to get captured for interrogation to test the effectiveness of Marutukku. He does not know that this is a field test and that the intelligence is sensitive but unclassified. He only knows what keys hold the intelligence and that those are the keys that must remain hidden. I am too resistant to their type of interrogation and they know me too well.`

`I made sure that Legolas knows exactly how the Marutukku System works and how it intentionally negates the option to cooperate or "talk". I also made sure that he knows exactly what Rubberhose Cryptanalysis is as well. I told him that this system should ensure that any information that must be delivered to anyone remains secure even from people who would be cowardly enough to choose talking.`

`Aragorn has been sent to accompany him in the journey but even he does not know that this is a field test because that would potentially compromise the integrity of it. In fact only I and a few other technomancers know that this is actually a field test of a new secure file system. I am keeping Legolas' family and friends out of the loop for fear of compromising the field test. No one else on Middle Earth knows what this delivery is really for.`

`After all I am pretty sure that no one would knowingly or willingly allow Legolas to be captured and tortured to test the effectiveness of a program. There is a chance that he may be severely crippled and even tortured to death by the orcs but I confidant that he will survive and if he is maimed then he can be repaired. But most likely he will be rescued or escape before it gets to that point. --   
`


	2. Chapter 2

Mirkle@TelecomixME.nerr writes:

> I figure the best we can do is to hide the contents of S with crypto and   
> hide its existence through other means. Traditional stego works well   
> for this latter goal, but it does not give us a way to cough up something   
> meaningful in place of S, which could be very handy.   
>   
> In short, certainly the existence of S needs to be hidden, and it would be   
> best to do hide it in plain sight as it were, in a big junk pile with   
> everything else on the drive.   
>   
> Indexing this huge mess of data to allow for a practical system to work   
> with is certainly a challenge, and in all likelyhood impossible given the   
> parameters of the system.   
>

Marutukku (our rubber-hose proof file system) addresses most of these technical issues, but I'd like to just comment on the best strategy game-theory wise, for the   
person wielding the "rubber-hose".

In Marutukku the number of encrypted aspects (deniable "virtual" partitions) defaults to 16 (although is theoretically unlimited). As soon as you have over 4 pass-phrases, the excuse "I can't recall" or "there's nothing else there" starts to sound highly plausible.

Ordinarily best strategy for the torturers, the Orcs will keep on torturing keys out of Legolas indefinitely till there are no keys left. However, and importantly, in Marutukku, Legolas can never prove that he has handed over the last key. As Legolas hands over more and more keys, the Orcs can make observations like "the keys he has divulged correspond to 85% of the bits". However at no point can the Orcs prove that the remaining 15% don't simply pertain to unallocated space, and at no point can Legolas, even if he wants to, divulge keys to 100% of the bits, in order to bring the un-divulged portion down to 0%. An obvious point to make here is that fraction-of-total-data divulged is essentially meaningless, and both parties know it - the One Ring's location aspect may only take up .01% of the total bit-space.

What I find interesting, is how this constraint on Legolas's behaviour actually protects him from revealing his own keys, because each party, at the outset can make the following observations:

Orcs: We will never be able to show that the elf has revealed the last of his keys. Further, even if the elf has co-operated fully and has revealed all of his keys, he will not be able to prove it. Therefore, we must assume that at every stage that the elf has kept secret information from us, and continue to torture him, even though he may have revealed the last of his keys. But the whole time we think will it really do any good to continue to allow the torture to continue because the elf may have co-operated fully. The elf will have realised this though, and so presumably it's going to be very hard to get keys out of him at all.

Legolas: (Having realised the above) I can never prove that I have revealed the last of my keys. In the end I'm bound for continued torture, even if I can buy brief respites by coughing up keys from time to time. Therefore, it would be foolish to divulge my most sensitive keys, because (a) I'll be that much closer to the stage where I have nothing left to divulge at all (it's interesting to note that this seemingly illogical, yet entirely valid argument of Legolas's can protect the most sensitive of his keys the "whole way though", like a form mathematical induction), and (b) the taste of truly secret information will only serve to make the Orcs come to the view that there is even higher quality information yet to come, re-doubling their torture efforts to get at it, even if I have revealed all. Therefor, my best strategy would be to (a) reveal no keys at all or (b) depending on the nature of the Orcs, and the psychology of the situation, very slowly reveal my "duress" and other low-sensitivity keys.

Legolas certainly isn't in for a very nice time of it (although he's far more likely to protect his data).

On the individual level, you would have to question whether you might want to be able to prove that, yes, infact you really have surrendered the last remaining key, at the cost of a far greater likelihood that you will. It really depends on the nature of your opponents. Are they intelligent enough understand the deniable aspect of the cryptosystem and come up with the above strategy? Determined to the aspect they are willing to invest the time and effort in wresting the last key out of you? Ruthless - do they say "Please", hand you a Court Order, or is it more of a Black Pits affair?

But there's more to the story.

Organisations and groups may have quite different strategic goals in terms of key retention vs torture relief to the individuals that comprise them, even if their views are otherwise co-aligned. A simple democratic union of two or more people will exhibit this behaviour.

When a member of a group, who uses conventional cryptography to protect group secrets is tortured, they have two choices (1) defecting (by divulging keys) in order to save themselves, at the cost of selling the other individuals in the group down the river or (2) staying loyal, protecting the group and in the process subjugating themselves to continued torture.

With Rubberhose-style deniable cryptography, the benefits to a group member from choosing tactic 1 (defection). are subdued, because they will never be able to convince their interrogators that they have defected. Rational individuals that are `otherwise loyal'" to the group, will realise the minimal gains to be made in choosing defection and choose tactic 2 (loyalty), instead.

Presumably most people in the group do not want to be forced to give up their ability to choose defection. On the other hand, no one in the group wants anyone (other than themselves) in the group to be given the option of defecting against the group (and thus the person making the observation). Provided no individual is certain* they are to be tortured, every individual will support the adoption of a group-wide Rubberhose-style cryptographically deniable crypto-system. This property is communitive, while the individual's desire to be able to choose defection is not. The former every group member wants for every other group member, but not themselves. The latter each group member wants only for themselves.

* "certain" is a little misleading. Each individual has a threshold which is not only proportional to the the perceived likely hood of being tortured over ones dislike of it, but also includes the number of individuals in the group, the damage caused by a typical defection to the other members of the group etc.

Cheers, Darken Rahl.  
_______________________________________________________________________________

LOCATION: Guild of Technomacers Alpha-1 Headquarters, Rivendell, Elven Sector.

Inside the Alpha-1 Research Facility Darken Rahl was working with some of the other technomancers on a new Secure Cryptographic Module for the I2P and Tor Servers because the latest exploit used sorcery to to extract the keys from the older chips. So with this one they are installing Anti-Magic components that will vaporize the chip if any magical energy touches it.

While that is being done one of the others is working on a series of non passphrase based keying methods for authentication and decryption. He is posting the reference code to the cryptoanarchy wiki hosted in an undisclosed location. The following methods are being worked on as in the actual wiki post:

For some time now, our group has been working on a cryptographically-deniable block storage device (aka Marutukku), on which regular file-systems can be mounted, targeted at the human/activist community. We expect to release a developers code set at the Middle Earth Usenix Conference in the Gondor palace next week.

This is like a regular encrypted disk except that it supports multiple keys, where it is computationally infeasible given some of those keys to show that there are more keys, or that particular blocks of data are being used to store something other than unallocated space. Even for the legitimate user.

This mitigates against coercive interrogations and legal compulsion. Only "safe" information need be revealed. It isn't possible to show that additional information exists. Nor is it possible for the subject of a coercive demand to show that they have revealed all information. Thus a rational coercer can never demand proof of full co-operation, as its provision is computationally infeasible.

We have assorted kernel modules for Linux, NetBSD and FreeBSD. Although these modules are designed to abstract away OS primitives and provide a fast kerneluserland messaging layer so the effort involved in porting to other operating systems is minimised.

However there are ways to protect against coercive interrogations that can be layered on top of cryptographic deniability. Keying schemes can be chosen that have beneficial psychological or psychological properties. These novel keying schemes are often but not always graphical in nature, which has implementation considerations.

At the moment we have a passphrase-based keying feeding into a sophisticated key set up routine (that enforces 1 second of original cpu time per attempted key). However, passphrase based keying is non-optimal under many circumstances that the target group (human rights workers) might encounter, because passphrases can be quickly conveyed by speech or writing. That is:

1) Interrogations can take place in the Black Pits and not the computer room. It's nicer, particularly given the frequency of equatorial despotism to be tortured in the computer room.

2) Revealing a passphrase only requires (some of) the brain and jaw or hand to be left functional.

3) Revealing a passphrase is quick and requires few higher cognitive functions, thus it is vulnerable to peak pain, hallucinogens and `truth drugs' such as schopolomine.

4) A single observation of a passphrase is enough grasp the whole keying state. Keyboard sniffers are cheap and in some regions at least, video bugging is not uncommon.

A good keying system prevents revealing of the key, placing the subject of interrogation in a hostile environment (i.e not the computer room), damage to as many parts of the subject's body as possible, retardation of the subjects mental faculties and retardation of the subject's free will. The keying system should also be practical enough to be used and adopted by real life people, and not require expensive or hard to find hardware.

Where a group of co-operating individuals is concerned, keying schemes should discourage defection against the group of individuals being coersively interrogated. Rubberhose cryptographic deniability discourages defection due to the subject's inability to show that they have fully compiled with the interrogation (thus the incentive to defect, or at least defect completely, is minimised), but perhaps novel keying schemes can augment this.

It is important to understand that Marutukku requires keying and not authentication. However any authentication method can be turned into a keying method, provided sufficient information for the authentication isn't held on the "server". For an example, Marutukku could issue n challenges, each of which the user's authentication algorithm authenticates or fails to authenticate; the hash of the concatenated authenticated challenges then forms the key. However schemes like this require n to be >=48, which seems practical only for automated methods, or combined with another method which presents more bits of key entropy per iteration.

Some possible alternatives to passphrase based keying (we have some more notes on these ideas, but no code or concrete design documentation):

1) interactive transposition matrixes. This is a simple method to prevent keyboard immediate keyboard sniffing. The user keeps their passphrase in their head, and a for each letter a transposition matrix is displayed on the screen.

2) Maze walking. A maze with several "landmarks" is drawn on the screen. The user must "visit" and move past these landmarks in a particular order and direction.

3) Enhanced face recognition. Several arrays of faces are displayed. The user must choose the numbers next to each face, perform a simple mathematical operation on them and input the number.

4) Constraint/simile problems. The user is presented with several secret knowledge problems of A is to B as C is to ? in different forms which test areas of cognitive function and or visual function which would be affected by drugs or severe pain.

5) Grid drawing. The user draws shapes within a n x n matrix. The direction of boundary crossing forms the key. For a similar idea, see "Graphical Passwords", a paper presented at last years usenix security symposium.

6) Colour contrast discrimination. It has been shown that individuals see slightly different hues due to visual cortex and cone cell / retina variation. It maybe possible to design moire or other tests on 24 bit displays which are recognisable by one party but not another. Just hope no-one runs a magnet over your monitor. 

7) Forward Error Correction based biometric keying. Traditionally signature and individual biometric variation tests have failed to provide good alternatives for keying, for two reasons. 1) the bio-authorisation template is "secret", hence useless for something like Marutukku, where *all* secrecy is derived from the key. 2) quantitisation by the template of the inherent analog variability in the biological source in order to match with the template dramatically reduces the keyspace. A FEC based approach may resolve these issues.

Our current designs for plugable keying mechanims, simply introduce saved state on stdin and expect output state (which is subsequently hashed to form the key) on stdout.

As novel keying methods are an intresting problem that requires lateral thinking rather than specialist cryptographic expertise, I thought it may be of interest to ocaml coders in general.   
_______________________________________________________________________

Post by WAR10CK:

One of my friends at the Gamma-3 Headquarters in northern Mirkwood was talking about a time/remote based security program.

1) Fixed delay before activation. The safe unlocks n hours after you request 

2) Fixed time of day. The safe unlocks for a brief window of time each day (i.e when she's about to goto work).

3) On remote command. If there is an urgent special operation, the safe maybe unlocked by remote (telephone) control.

We can apply all these ideas to marutukku. All of these can of course be subverted by the legitimate user (after the first instance). Short of tamper proof hardware there is no way to avoid this. However it should be remembered what the nature of the problem is, and that it is the legitimate user we are attempting to protect, by constraining that actions they can take under duress.

1) Can be implemented by simply abusing our initial iteration counter. The time limit can be abridged by an attacker in proportion to their relative cpu speed vis a vis the victim.

2) It hard to see how this can be implemented both securly and efficiently. We could keep a continual crypto-clock going as per point 1, but many users would find the cpu usage intolerable. On the other hand, if the attacker is lower-echelon (pun intended), this could be vaulable to the user. A compromise position could be taken whereby the crypto-clock runs at 1/4 speed, enabling it to detect simple clock adjustment attacks. However this doesn't work very well with suspended or slowed cpu devices such as laptops.

3) This idea is the most interesting. There are a number of possible implementations, but here is the one I think those out in the field would find most useful:

**Author's Note:**

> Marutukku is a real program written by the founder of Wikileaks. It remains an incomplete project but it is very secure.
> 
> Rubberhose Cryptanalysis is a term in the security field that is defined as the use of force to coerce a person into revealing their keys and secrets. Usually by the use of torture such as beating with a rubberhose. This is also known as a Rubberhose Attack.


End file.
